BugTraq
Back to list
|
Post reply
Re: Another ProductCart SQL Injection Vulnerability
Jul 05 2003 06:39AM
Massimo Arrigoni (support earlyimpact com)
In-Reply-To: <1057289439.3f04f4dfaf159 (at) webmail.bosen (dot) net [email concealed]>
Instructions on how to address this security issue:
-------------------------------------------------------------------
User of ProductCart v1.5 and before:
Please contact Early Impact ASAP to update to a later version of
ProductCart. Send a message to support (at) earlyimpact (dot) com. [email concealed] The update is free.
-------------------------------------------------------------------
User of ProductCart v1.6:
Open the file "pcadmin/login.asp" and replace the following lines:
pIdAdmin=replace(request.querystring("IdAdmin"),"'","''")
pAdminPassword=enDeCrypt(request.querystring("adminPassword"), scCrypPass)
with
pIdAdmin=replace(request.querystring("IdAdmin"),"'","''")
pIdAdmin=replace(pIdAdmin,"--","")
If NOT isNumeric(pIdAdmin) then
response.redirect "msg.asp?message=1"
response.end
end if pAdminPassword=enDeCrypt(request.querystring("adminPassword"),
scCrypPass)
-------------------------------------------------------------------
Users of ProductCart v2:
Replace "pcadmin/login.asp" with an updated version of this file that you
can request immediately by contacting Early Impact at
support (at) earlyimpact (dot) com [email concealed]
-------------------------------------------------------------------
We have already notified all ProductCart resellers of the above. We will
also notify within the next few hours all ProductCart users that have
purchased the software directly from us.
At Early Impact we are working day and night to make our application as
secure as it can be. If you have any questions, please contact us at
support (at) earlyimpact (dot) com [email concealed]
Best Regards,
The Early Impact Team
>Received: (qmail 20442 invoked from network); 4 Jul 2003 14:55:16 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 4 Jul 2003 14:55:16 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id E4498A3228; Fri, 4 Jul 2003 08:56:07 -0600 (MDT)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 13256 invoked from network); 4 Jul 2003 03:28:46 -0000
>X-Qmail-Scanner-Mail-From: mobile (at) bosen (dot) net [email concealed] via prambanan.java.net.id
>X-Qmail-Scanner: 1.16 (Clear:SA:0(0.0/5.0):. Processed in 0.586905 secs)
>Message-ID: <1057289439.3f04f4dfaf159 (at) webmail.bosen (dot) net [email concealed]>
>Date: Fri, 4 Jul 2003 10:30:39 +0700
>From: Bosen <mobile (at) bosen (dot) net [email concealed]>
>To: bugs (at) securitytracker (dot) com [email concealed], bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: Another ProductCart SQL Injection Vulnerability
>MIME-Version: 1.0
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: 8bit
>X-Originating-IP: 202.73.121.173
>X-Errot-Report-To: Agus Supriadhie <bosen (at) antionline (dot) org [email concealed]>
>X-Version: 3.1
>X-Spam-Status: No, hits=0.0 required=5.0
> tests=none
> version=2.55
>X-Spam-Level:
>X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
>
>ProductCart SQL Injection Vulnerability
>_______________________________________________________________________
___
_____
>
>
>1ndonesian Security Team (1st)
>http://bosen.net/releases/
>=======================================================================
===
=====
>Security Advisory
>
>
>
>Advisory Name: ProductCart SQL Injection Vulnerability
> Release Date: 06/20/2003
> Application:
> ProductCart v1.5
> ProductCart v1.5002
> ProductCart v1.5003
> ProductCart v1.5003r
> ProductCart v1.5004
> ProductCart v1.6b
> ProductCart v1.6br
> ProductCart v1.6br001
> ProductCart v1.6br003
> ProductCart v1.6b001
> ProductCart v1.6b002
> ProductCart v1.6b003
> ProductCart v1.6002
> ProductCart v1.6003
> ProductCart v2
> ProductCart v2br000
> Platform: Win32/MSSQL
> Severity: High
> BUG Type: SQL Injection
> Author: Bosen <mobile (at) bosen (dot) net [email concealed]>
> Discover by: Bosen <mobile (at) bosen (dot) net [email concealed]>
>Vendor Status: See below.
> Vendor URL: http://www.earlyimpact.com/
> Reference: http://bosen.net/releases/
>
>
>
>Overview:
>From the web
>"ProductCart® is an ASP shopping cart that combines sophisticated
ecommerce
>features with time-saving store management tools and remarkable ease of
use."
>From the author
>"Even the application is not Open Source, but we can 'debug' the
application
>on the fly. And with SQL Injection we can query some information about
the
>tables
>and database, even the data it self. With more work will couse ability to
>access into
>the admin control panel site."
>
>
>
>Details:
>The error msg of the application handled very good, but not that good.
Couse
>still have
>XSS injection vulnerbility (read my previous advisories). Those error
handler
>would make
>exploitation very difficult to do.
>But, not all script handled by those error handler script.
>For example Custva.asp, its still vulnerable to SQL Injection.
>
>But the worst is, on the admin control panel which is can be injected by
old
>famous
>SQL injection 'or 1=1--'. Which makes you able to get access into admin
>control panel
>without needing any access.
>
>
>
>Exploits/POC:
>file Custva.asp
>http://<target>/productcart/pc/Custvb.asp?redirectUrl=&Email=%27+having
+1%
3D1--
>&_email=email
>&password=asd&_password=required&Submit.x=33&Submit.y=5&Submit=Submit
>
>file login.asp
>http://<target>/produccart/pdacmin/login.asp?idadmin='' or 1=1--
>
>
>
>Vendor Response:
>Contacted. No response yet.
>
>
>
>Recommendation:
>No recommendation for this.
>
>
>
>1ndonesian Security Team (1st) Advisory:
>http://bosen.net/releases/
>
>
>
>About 1ndonesian Security Team:
>1ndonesian Security Team, research and develop intelligent, advanced
>application
>security assessment. Based in Indonesia, 1ndonesian Security Team offers
best
>of
>breed security consulting services, specialising in application, host and
>network
>security assessments.
>
>1st provides security information and patches for use by the entire 1st
>community.
>
>This information is provided freely to all interested parties and may be
>redistributed provided that it is not altered in any way, 1st is
appropriately
>credited and the document retains.
>
>
>Greetz to:
>AresU, TioEuy, sakitjiwa, muthafuka, alphacentury
>All 1ndonesian Security Team - #hackers (at) austnet (dot) org [email concealed]/centrin.net.id
>
>
>
>
>
>
>
>Bosen <mobile (at) bosen (dot) net [email concealed]>
>======================
>Original document can be fount at http://bosen.net/releases/?id=40
>
>
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Instructions on how to address this security issue:
-------------------------------------------------------------------
User of ProductCart v1.5 and before:
Please contact Early Impact ASAP to update to a later version of
ProductCart. Send a message to support (at) earlyimpact (dot) com. [email concealed] The update is free.
-------------------------------------------------------------------
User of ProductCart v1.6:
Open the file "pcadmin/login.asp" and replace the following lines:
pIdAdmin=replace(request.querystring("IdAdmin"),"'","''")
pAdminPassword=enDeCrypt(request.querystring("adminPassword"), scCrypPass)
with
pIdAdmin=replace(request.querystring("IdAdmin"),"'","''")
pIdAdmin=replace(pIdAdmin,"--","")
If NOT isNumeric(pIdAdmin) then
response.redirect "msg.asp?message=1"
response.end
end if pAdminPassword=enDeCrypt(request.querystring("adminPassword"),
scCrypPass)
-------------------------------------------------------------------
Users of ProductCart v2:
Replace "pcadmin/login.asp" with an updated version of this file that you
can request immediately by contacting Early Impact at
support (at) earlyimpact (dot) com [email concealed]
-------------------------------------------------------------------
We have already notified all ProductCart resellers of the above. We will
also notify within the next few hours all ProductCart users that have
purchased the software directly from us.
At Early Impact we are working day and night to make our application as
secure as it can be. If you have any questions, please contact us at
support (at) earlyimpact (dot) com [email concealed]
Best Regards,
The Early Impact Team
>Received: (qmail 20442 invoked from network); 4 Jul 2003 14:55:16 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 4 Jul 2003 14:55:16 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id E4498A3228; Fri, 4 Jul 2003 08:56:07 -0600 (MDT)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 13256 invoked from network); 4 Jul 2003 03:28:46 -0000
>X-Qmail-Scanner-Mail-From: mobile (at) bosen (dot) net [email concealed] via prambanan.java.net.id
>X-Qmail-Scanner: 1.16 (Clear:SA:0(0.0/5.0):. Processed in 0.586905 secs)
>Message-ID: <1057289439.3f04f4dfaf159 (at) webmail.bosen (dot) net [email concealed]>
>Date: Fri, 4 Jul 2003 10:30:39 +0700
>From: Bosen <mobile (at) bosen (dot) net [email concealed]>
>To: bugs (at) securitytracker (dot) com [email concealed], bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: Another ProductCart SQL Injection Vulnerability
>MIME-Version: 1.0
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: 8bit
>X-Originating-IP: 202.73.121.173
>X-Errot-Report-To: Agus Supriadhie <bosen (at) antionline (dot) org [email concealed]>
>X-Version: 3.1
>X-Spam-Status: No, hits=0.0 required=5.0
> tests=none
> version=2.55
>X-Spam-Level:
>X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
>
>ProductCart SQL Injection Vulnerability
>_______________________________________________________________________
___
_____
>
>
>1ndonesian Security Team (1st)
>http://bosen.net/releases/
>=======================================================================
===
=====
>Security Advisory
>
>
>
>Advisory Name: ProductCart SQL Injection Vulnerability
> Release Date: 06/20/2003
> Application:
> ProductCart v1.5
> ProductCart v1.5002
> ProductCart v1.5003
> ProductCart v1.5003r
> ProductCart v1.5004
> ProductCart v1.6b
> ProductCart v1.6br
> ProductCart v1.6br001
> ProductCart v1.6br003
> ProductCart v1.6b001
> ProductCart v1.6b002
> ProductCart v1.6b003
> ProductCart v1.6002
> ProductCart v1.6003
> ProductCart v2
> ProductCart v2br000
> Platform: Win32/MSSQL
> Severity: High
> BUG Type: SQL Injection
> Author: Bosen <mobile (at) bosen (dot) net [email concealed]>
> Discover by: Bosen <mobile (at) bosen (dot) net [email concealed]>
>Vendor Status: See below.
> Vendor URL: http://www.earlyimpact.com/
> Reference: http://bosen.net/releases/
>
>
>
>Overview:
>From the web
>"ProductCart® is an ASP shopping cart that combines sophisticated
ecommerce
>features with time-saving store management tools and remarkable ease of
use."
>From the author
>"Even the application is not Open Source, but we can 'debug' the
application
>on the fly. And with SQL Injection we can query some information about
the
>tables
>and database, even the data it self. With more work will couse ability to
>access into
>the admin control panel site."
>
>
>
>Details:
>The error msg of the application handled very good, but not that good.
Couse
>still have
>XSS injection vulnerbility (read my previous advisories). Those error
handler
>would make
>exploitation very difficult to do.
>But, not all script handled by those error handler script.
>For example Custva.asp, its still vulnerable to SQL Injection.
>
>But the worst is, on the admin control panel which is can be injected by
old
>famous
>SQL injection 'or 1=1--'. Which makes you able to get access into admin
>control panel
>without needing any access.
>
>
>
>Exploits/POC:
>file Custva.asp
>http://<target>/productcart/pc/Custvb.asp?redirectUrl=&Email=%27+having
+1%
3D1--
>&_email=email
>&password=asd&_password=required&Submit.x=33&Submit.y=5&Submit=Submit
>
>file login.asp
>http://<target>/produccart/pdacmin/login.asp?idadmin='' or 1=1--
>
>
>
>Vendor Response:
>Contacted. No response yet.
>
>
>
>Recommendation:
>No recommendation for this.
>
>
>
>1ndonesian Security Team (1st) Advisory:
>http://bosen.net/releases/
>
>
>
>About 1ndonesian Security Team:
>1ndonesian Security Team, research and develop intelligent, advanced
>application
>security assessment. Based in Indonesia, 1ndonesian Security Team offers
best
>of
>breed security consulting services, specialising in application, host and
>network
>security assessments.
>
>1st provides security information and patches for use by the entire 1st
>community.
>
>This information is provided freely to all interested parties and may be
>redistributed provided that it is not altered in any way, 1st is
appropriately
>credited and the document retains.
>
>
>Greetz to:
>AresU, TioEuy, sakitjiwa, muthafuka, alphacentury
>All 1ndonesian Security Team - #hackers (at) austnet (dot) org [email concealed]/centrin.net.id
>
>
>
>
>
>
>
>Bosen <mobile (at) bosen (dot) net [email concealed]>
>======================
>Original document can be fount at http://bosen.net/releases/?id=40
>
>
>
[ reply ]